Thursday, January 13th, 2000
Parklawn Building, Rockville Maryland

Background
The Department of Health and Human Services (DHHS) recently proposed regulations for both data security and privacy of individually identifiable health information pursuant to the Health Insurance and Portability and Accountability Act of 1996 (HIPAA). Under HIPAA, health care organizations, provider plans, clearinghouses and organizations they contract with are subject to a series of technical and internal policy requirements relating to administrative simplification, security and privacy. Additionally, the Interagency Committee for Medical Records by the General Services Administration has issued guidelines for video capture devices.

The Office for the Advancement of Telehealth (OAT), formerly part of the Office of Rural Health Policy, Health Resources and Services Administration, has funded telemedicine demonstration programs since 1989 and has invested over $36 million in telemedicine demonstration and evaluation projects. Since OAT grantees will be subject to pending federal data security and privacy regulations, the Office decided to offer a one-day seminar on Privacy issues and HIPAA for its telemedicine grantees.

OAT believes that the move toward electronic health records and the transmission of sensitive patient data between and among health system partners raises a number of important issues. This issues include: organizational risk, designing security practices, organizing and maintaining a security effort, enhancing provider and patient understanding of privacy issues, implementing a secure Internet environment, and institutionalizing various roles and responsibilities.

OAT is committed to helping its grantees develop strategies that will help them assess and address the security and privacy threats they face, so that they may better comply with new federal regulations while at the same time improving their business processes.

Seminar
On January 13th, 2000, OAT convened a one-day seminar focused on privacy, security, and confidentiality issues affecting telemedicine grantees. Invited guests also included representatives of the Federal Joint Working Group on Telemedicine, and Federal health care officials from several agencies including HRSA, Indian Health Service, Food and Drug Administration, National Institutes of Health, Department of Defense, and the Veterans Health Administration.

Presenters from academia, government, and industry provided a wide perspective on the legal, policy development, and implementation considerations which most health care organizations face.

The seminar goals were to:

• Review pending Congressional laws and proposed DHHS administrative actions pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
• Provide a high-level understanding of the many concurrent processes and players underway within government, academia and industry working on solutions to the problem.
• Determine a sequence of activities to help position telemedicine grantees and DHHS service delivery organizations in compliance with likely legislation, regulations, and /or industry imposed quality or other standards.
• Identify immediate steps which telemedicine programs, DHHS health care institutions, and funded organizations should be taking to ensure a more secure (and therefore a more compliant) environment.
• Exemplify by way of case study, recent successful programs whose experience may prove invaluable to other telemedicine efforts, DHHS organizations and institutions; and otherwise help achieve the educational goals and objectives of the Department with regard to information security.

Presentations
Neal Neuberger, President of Health Tech Strategies, LLC and Jeff Collmann, Ph.D. of Georgetown University Medical Center organized and facilitated the seminar. Health Tech Strategies, LLC has produced an extensive series of regional workshops titled: Privacy, Security, and Confidentiality of Medical Records: Complying With Sweeping New HIPAA Requirements.

Dr. Collmann is the editor of the Computer-based Patient Record Institute (CPRI )Toolkit, Managing Information Security in Healthcare, which provides up-to-date materials regarding laws, rules and regulations as well as model security policies and best practices from major health care institutions throughout the nation. Seminar organization and content has been based on the CPRI Toolkit approach toward building "security capable organizations."

A brief summary of seminar presentations follows:

Jeff Collmann, Ph.D
Georgetown University Medical Center, ISIS Radiologic Imaging Center

Dr. Collmann presented an overview of HIPAA’s requirements from the perspective of telemedicine programs. He briefly discussed the range of HIPAA Administrative Simplification rules addressing electronic transactions and code sets, and then, in more detail, described the provisions contained in pending data security and electronic signature regulations and draft privacy rules. Dr. Collmann discussed the need for good administrative practices on the part of telemedicine programs including the need for access controls, contingency plans, internal audits, personnel security, termination procedures, training, and assign security responsibilities within programs. He also discussed risk assessment and management as central to HIPAA compliance, and then described by way of example, the Georgetown ISIS Center security process. Likening the issue to "Universal Precautions", Dr. Collmann concluded that health information security applies to everybody in the institution, is part of the job, requires orientation and annual training, should be a component of annual review, and must be approached with technological innovations in mind.

Shannah Koss
IBM Global Healthcare

Shannah Koss of IBM Health Care, Security and Government Programs presented an overview of HIPAA requirements, discussed steps toward becoming HIPAA compliant, and outlined risk assessment frameworks and approaches that are a critical component of HIPAA compliance. She reviewed a matrix discussing various administrative procedures and technical safeguards that institutions should consider, and discussed the relative importance of various approaches. She started with a review of the draft regulations in terms of what information is covered under the rules, preemption, authorization provisions, use and disclosure requirements, contracts and business partner agreements, notification, review and other regulatory measures. Ms. Koss next described a checklist that telemedicine and other programs should begin addressing. Included among these policies and procedures are establishing physical safeguards, audit trails, proper documentation, and cross-functional security teams. Institutions need to begin with a baseline security assessment, then perform a "gap analysis", risk assessment, identify available resources, develop policies, begin implementing enterprise-wide security solutions, establish high-level administration support, and provide constant auditing and documentation of their processes.

Jeremy E. Pierotti
Allina Health System

Jeremy E. Pierotti, Director, HIPAA Program, Allina Health System discussed current security structures and initiatives at Allina including their management structure, work plan, and risk assessment activities. Their year 2000 security priorities center around firewall security, identifying and reviewing business partner relationships, securing outbound Internet access, and providing staff education. A HIPAA Program Management Office has been established and is implementing a work plan in stages focused on risk assessment activities based on a high-level impact assessment grid, which Mr. Pierotti distributed at the seminar. Allina anticipates that their security program will be successful if they can maintain senior management support, solid program structure, thorough step-by-step risk assessment, exceptional internal communications, and adherence to project management practices.

Jack Smith, Ph.D, M.D.
University of Texas, School of Allied Health Sciences

Dr. Jack W. Smith, Chairman Health Informatics, University of Texas, School of Allied Health Sciences discussed developing and implementing confidentiality and security policies. Dr. Smith reported on the University’s health security team, which includes broad representation from interested and affected parties including IT, Nursing, Pharmacy, Physicians, Case Managers, Medical Records Professionals, and the Chief Information Officer. In a collaborative manner, the team addresses potential problems having to do with vendor selection, lack of appropriate IT training among many key staff, unique health problems and situations, and others. Security in a large health organization like UT is a "career" requiring constant and ongoing attention by a full range of professionals, since regulatory bodies may be "clueless" and there is a constant need to integrate relations between disparate cultures, economics, societal, and social norms and information systems. Health information security requires an interdisciplinary, inter-professional approach and considerable flexibility. Dr. Smith discussed the form and function of his security team, and then described a little bit about the technologies they are using including Public Key Infrastructure or "PKI". Authentication techniques like digital signatures which both authenticates the sender and guarantees message integrity are being used, along with encrypted E-mail, access controls, and "Light Directory Access Protocol" or "LDAP", which is a general purpose, standards-based directory service.

Stanley Nachimson
Health Care Financing Administration

Stanley Nachimson, Health Care Financing Administration, discussed HIPAA provisions relating to transactions, identifiers, and security. Reviewing the efficiency and effectiveness goals of the HIPAA Administrative Simplification provisions, Nachimson briefly described mandated standards including: transaction standards like claims or equivalent encounters; referral certification and authorization; enrollment and disenrollment in a health plan; claims status; and attachments. Additional required standards include; coordination of benefits information; unique identifiers (including allowed uses) for individuals, employers, health plans, and health providers; code sets; as well as security and privacy standards. He then discussed the standards adoption process in terms of pending rules, comment periods, upcoming publications, and a little about the current status of each regulation.

John Parmagiani
Health Care Financing Administration

John Parmagiani, Director of Enterprise Standards, HCFA, next described HCFA’s Internet Security Policy which flows from a policy memo generated in response to intermediary questions in Region II. Basically, HCFA Privacy Act and other sensitive HCFA information will be protected under the new policy which requires encryption as well as authentication and identification. The HCFA policy will mesh with HIPAA rules, affects only data in transmission, and is scalable. HCFA is working closely with industry groups to gain support for workable policies, including WEDI/AFEHCT organizations which are modeling and testing current policies.

John Fanning, LLB
Divison of Data Policy, ASPE, DHHS

John Fanning, LLB Division of Data Policy, Office of the Assistant Secretary for Planning and Evaluation, DHHS is one of the chief architects of the pending HIPAA required Privacy Regulations. For the seminar, Mr. Fanning presented an overview of the underlying HIPAA legislation and the impetus behind the bill in the context of Administrative Simplification. Mr. Fanning discussed:

• the Department’s principles with respect to privacy,
• additional background concerning state and Federal law, who and what are covered under the proposed privacy regulations including basic requirements, rights for individuals under the rule,
• disclosure provisions,
• use and disclosure for treatment,
• payment and health care operations, and
• other allowable disclosures without patient consent.

Finally, Mr. Fanning outlined internal practices and administrative procedures for handling protected health information and discussed issues of preemption of state laws, as well as additional uses without patient authorization. Several questions were raised concerning the scope and nature of "contracting" and "business partner agreement" requirements under the data security and privacy rules.

MAJ. Catherine Beck
U.S. Army Medical Research & Materiel Command

Major Catherine Beck, Information Sciences Division, Telemedicine and Advanced Technology Research Center, U.S. Army Medical Research and Materiel Command described recent videotape documentation guidelines, and the Department of Defense Healthcare Information Assurance program. Under her leadership, guidance concerning videotape documentation was released recently in the Public Federal Register. These guidelines underscored that while videotapes are not part of the medical record, when an episode of care is documented, the patient must provide prior written consent for the taping unless the consultation is for the documentation of abuse or neglect. After standard documentation is complete, the tape should be erased unless exempted for some specific reason. Exceptions to prohibitions against retaining tapes may be made for educational cases if Privacy Act regulations are followed. Moreover, the guidelines do not apply to electronic images such as radiographs and digital photos for which documentation processes are already in place.

Following this discussion, Maj. Beck briefed the group on the DoD Healthcare Information Assurance program which was Congressionally funded in 1998 to enhance the protection and privacy of electronic healthcare information among military health systems. Program goals are to ensure compliance with HIPAA, ensure security of current systems, and plan for the security of future healthcare systems. Information assurance regulations will be identified, identification of gaps between HIPAA and current DoD regulations will be made, the impact on echelons of care will be assessed, and risk assessment capabilities built. Following these exercises, security simulation models will be built, Risk Information Management Resources (RIMR) established and Medical Information Security Readiness Teams fielded.

Neal Neuberger
Health Tech Strategies, LLC

Neal Neuberger, President of Health Tech Strategies, LLC and seminar producer on behalf of OAT, concluded the day by briefing attendees about pending legislation relating to privacy in the 106th Congress and at the state level. Mr. Neuberger outlined the impetus behind some pending bills. These include legal deadlines under the 1996 HIPAA law; DHHS’ preference for further Congressional action; the EU Data Directive of 1995; absence of a comprehensive Federal privacy law; growth of unsecured IT projects in healthcare; scientific developments in the Human Genome Project and others. Mr. Neuberger discussed some of the hundreds of different state laws that may necessitate the need for a uniform national approach. He then described similarities and dissimilarities (areas of contention) in the leading Congressional measures by Senators Leahy (S.573), Jeffords (S.578), and Bennett (S.881). Outstanding issues include:

• how to deal with issues of preemption,
• parental notification and minors rights,
• law enforcement access to records,
• how research organizations will be covered,
• cope and reach of provisions,
• how the provisions will be enforced, and
• the degree to which patients will be allowed "private rights of action" which may arise out of security breeches.

Neuberger discussed the outlook and prospects for additional legislation during the second session of the 106th Congress, just as lead members and staff are analyzing pending data security and privacy rules to determine if additional legislation is needed.